How the feds put a bullet in a “bulletproof” Web host

Taking down the Gozi Virus and its distributor.

Being an online criminal isn't always easy. For one thing, there's all that tedious administrative overhead of deploying command and control servers, finding proxies to mask them, and shifting IP addresses to stay off of private security blacklists. Today's savvy cyber criminal, therefore, often outsources the work to so-called "bulletproof" hosting operations, which rent servers to criminals and take care of all the dirty details needed to keep them online. That was the approach taken by the Russian creator of malware known as Gozi—malicious password-stealing software which the US government today called "one of the most financially destructive computer viruses in history"—to store his stolen data. But as the malware man found out, bulletproof hosts can be taken down with enough effort. Even when they're based in Romania.

Gozi was coded back in 2005 and deployed in 2007. Back then, it largely targeted Europeans. When installed on a computer, the virus waited until the user visited an online banking site and then grabbed account names and passwords—anything that might be needed for a criminal to transfer money out of the user's account. This information was then sent silently to the Gozi command and control servers, from which it was harvested on a regular basis.

By 2010, the malware innovated in two important ways. First, it had gained the capability to do sophisticated Web injection. When an infected computer was pointed at a banking website, the virus wouldn't simply steal account login information; it could be configured to inject additional data requests right into the bank's webpage. This made it almost impossible to tell the requests were not being made by the bank itself. In this way, the malware could be tweaked to ask for Social Security numbers, driver's license information, a mother's maiden name, PIN codes—anything a client wanted.

The second innovation? Gozi expanded to the US and started targeting specific US banks. The collected information was then sold to other criminals, who quickly transferred money out of the targeted bank accounts. On August 13, 2010, for instance, $8,710 went missing from a Bronx resident's account. The amounts could go much higher; in February 2012, another New York resident lost $200,000. And it got even worse. An FBI investigation, revealed today, found two Gozi-infected computers had led to combined losses of $6 million for their two owners. Total losses appear to have reached "tens of millions" of dollars.

So, starting in 2010, the FBI launched an investigation. It didn't take long to find Gozi's creator, a 25-year-old Moscow resident named Nikita Kuzmin. By November 2010, Kuzmin had been arrested during a trip to the US; by May 2011 he pleaded guilty and agreed to forfeit his Gozi earnings, which might reach up to $50 million. Deniss Čalovskis, the 27-year-old Latvian man who allegedly coded the Web injects and customized them for various banks was picked up by Latvian police in November 2012.

But it was the bulletproof host behind Gozi who turned out to be the most interesting catch—and who took longest to reel in.

“Answer me, damn it, I'm Virus”

FBI agents collected an incredible trove of data on the Gozi conspirators. According to court documents, this data cache included wiretaps, seized servers, an interview with a Gozi distributor, and even a host of chat logs lifted from a server used by the criminals behind Gozi. Despite all that, in the end what brought down the bulletproof host was as simple as a cell phone number.

With the number in hand, the FBI worked with the Romanian Police Directorate for Combating Organized Crime (DCCO), since the number was based in Bucharest. The DCCO obtained court permission to tap the phone, then agents listened to calls, watched text messages, and intercepted Web addresses and passwords entered on the handset for three months in the spring of 2012. On April 1, 2012, the phone's user sent a text message saying (according to an FBI translation), "Answer me, damn it, I'm Virus." The next day, a male voice called the phone and addressed its users as "Virus." But who was Virus?

Someone who wasn't too careful with his cell phone, for one thing. The phone was registered to a company called "KLM Internet & Gaming SRL," which was itself registered to a Bucharest man named Mihai Ionut Paunescu. The corporate registration was later changed, and investigators weren't positive who was actually using the phone until they listened in on a call in which the phone's user identified himself to the Romanian Commercial Bank as "Mihai Ionut Paunescu" and provided the correct national ID number corresponding to Paunescu. (The caller was seeking information on the proper procedure to withdraw US$20,000.)

Watching the smartphone's Web browsing history confirmed this phone belonged to the bulletproof host authorities sought. Paunescu regularly visited a site called adminpanel.ro. Romanian police watched as Paunescu entered the username and password to the site. Next they obtained court permission to search it. They did the search—and provided the information to the FBI. The site was essentially a set of status tables covering 130 physical computer servers which Paunescu apparently leased from legitimate hosting operations before reselling to less legitimate cyber criminals of all stripes.

Subtlety was not the order of the day here. Adminpanel.ro's data tables contained notes on what each virtual machine on each server was being used for, and these included things (in English) like "spy/malware," "semi-legal non sbl," "facebook spam 0%sbl," "illegal," and "100%SBLmalware." ("SBL" is an apparent reference to the well-known Spamhaus Block List targeting spammers.)

Keeping these 130 servers up and running for his clients apparently netted Paunescu a good deal of money. He kept meticulous records of how much he paid to lease every server and how much he received for leasing it back out. A typical entry shows that he spent "114EU" (euros) on a server that he resold for "330EU"—not a bad markup.

As for "Virus," it turned out that Paunescu used this as his online nickname.

Last month, Romanian police arrested him, bringing the Gozi story to a close.

Wayward youth

The US government revealed the three arrests today. It unsealed indictments against Kuzim, Čalovskis, and Paunescu which make clear just how young all three men were when the alleged criminal behavior began. Kuzmin got started with Gozi back in 2005, when he was just 18. Čalovskis was allegedly involved since he was 20. Paunescu is only 28 now and has allegedly been in the bulletproof hosting business for years.

Kuzmin pleaded guilty and will be sentenced in the US, where he faces a maximum 95 years in prison. Extradition proceedings are underway for the other two, who could each face a max of 60 years in a US cell.

I won't say that they never shatter, but all the drives I've encountered bent. My university a few years ago decommissioned some drives with confidential data on them, and rather than take chances we dismantled them, used the platters as a teaching aid, and then attacked them with hammers. They definitely bend when given the right encouragement.

I'm impressed with the Romanian cooperation. My personal experience, and plenty of print articles, historically show a less that zealous interest in pursuing fraud (it's net cash inflow to an impoverished nation). Maybe the EU is having a positive effect.

As someone who worked in IT during college for a biomedical research center we destroyed a TON of scientific data by hand. I'd say all of the drives bend and crunch, they never shatter. I've never seen a platter drive that shatters before under normal conditions. We'd bend them into origami shapes, do line art in them, etc. Anything to make the otherwise boring job of destroying drives entertaining.

Generally, I've found laptop drives to be made of glass and desktop drives are usually aluminium. This isn't a hard and fast rule, but most laptop drives I've seen suffer physical damage usually end up shaking like a baby's rattle. Most desktop drives I've taken apart have Aluminium platters, however after unexpectedly encountering a glass platter when trying to bend what I though was aluminium, I've stopped doing anything to HDD platters that will reveal them as one sort or the other to me.

I get that these guys need to spend some time in jail, but 90 years, 65 years, 50 years? That seems really really excessive. Although maybe it's another case where the prosecution purposely tries to get a sentence that doesn't fit the crime so that they can make some kind of trade-in profit?

How much would they have gotten for writing bad cheques? Why are the penalties for electronic theft so much higher than comparable white collar physical-world crimes?

If these guys had been born in a Western country they probably would have ended up running start ups in California.

I get that these guys need to spend some time in jail, but 90 years, 65 years, 50 years? That seems really really excessive. Although maybe it's another case where the prosecution purposely tries to get a sentence that doesn't fit the crime so that they can make some kind of trade-in profit?

How much would they have gotten for writing bad cheques? Why are the penalties for electronic theft so much higher than comparable white collar physical-world crimes?

If these guys had been born in a Western country they probably would have ended up running start ups in California.

The system is broken.

I really don't see anything broken about giving a guy who stole up to $50 million 50/65/90 years in jail. Or am I to assume that this should be considered another non-violent crime that shouldn't net a sentence beyond what the typical rapist/murderer would get?

I get that these guys need to spend some time in jail, but 90 years, 65 years, 50 years? That seems really really excessive. Although maybe it's another case where the prosecution purposely tries to get a sentence that doesn't fit the crime so that they can make some kind of trade-in profit?

How much would they have gotten for writing bad cheques? Why are the penalties for electronic theft so much higher than comparable white collar physical-world crimes?

If these guys had been born in a Western country they probably would have ended up running start ups in California.

The system is broken.

I really don't see anything broken about giving a guy who stole up to $50 million 50/65/90 years in jail. Or am I to assume that this should be considered another non-violent crime that shouldn't net a sentence beyond what the typical rapist/murderer would get?

Well lets see. Some guy steals $50 million.The banks reimburse the customers who lost money. The banks then recover their money by raising fees.The guy gets arrested and his earings are "forfeited".

Does that mean the banks actually made $50M twice?

It is a non-violent crime and of course it shouldn't be comparable to rape/murder.

The victims are the customers who pay an extra 10 cents a month to their bank, but 10 cents a month hardly seems worth a life sentence.

Some guy steals $50 million.The banks reimburse the customers who lost money. The banks then recover their money by raising fees.The guy gets arrested and his earnings are "forfeited"....It is a non-violent crime and of course it shouldn't be comparable to rape/murder.

Non-violent? If I steal all your money & you take a turn for the dark side like AS unfortunately did (under other circumstances, but still we have all read of people throwing themselves off buildings in dire finacial circumstances), is it still non-violent?

Recovering the money is rare. First off the perps have been living off it & secondly catching the scum is not as common an occurrence as we could hope for. Putting teeth into the sentences of the thieves is in line with the crimes committed IMO.

Some guy steals $50 million.The banks reimburse the customers who lost money. The banks then recover their money by raising fees.The guy gets arrested and his earnings are "forfeited"....It is a non-violent crime and of course it shouldn't be comparable to rape/murder.

Non-violent? If I steal all your money & you take a turn for the dark side like AS unfortunately did (under other circumstances, but still we have all read of people throwing themselves off buildings in dire finacial circumstances), is it still non-violent?

Recovering the money is rare. First off the perps have been living off it & secondly catching the scum is not as common an occurrence as we could hope for. Putting teeth into the sentences of the thieves is in line with the crimes committed IMO.

I'm personally not against these guys getting harsh sentences. I really dislike identity theft. But it would be very nice to see all financial crime punished as harshly. Steal $50 million, get 90 years in jail. Steal $50 billion, get a bail-out. That's not cool and needs immediate fixing.

Also, I keep wondering when we'll hear about the fate of an identity thief who stole money from someone in organized crime. If you steal from enough random people eventually you may steal from a psychopath who will want to make an example of you.

Some guy steals $50 million.The banks reimburse the customers who lost money. The banks then recover their money by raising fees.The guy gets arrested and his earnings are "forfeited"....It is a non-violent crime and of course it shouldn't be comparable to rape/murder.

Non-violent? If I steal all your money & you take a turn for the dark side like AS unfortunately did (under other circumstances, but still we have all read of people throwing themselves off buildings in dire finacial circumstances), is it still non-violent?

Recovering the money is rare. First off the perps have been living off it & secondly catching the scum is not as common an occurrence as we could hope for. Putting teeth into the sentences of the thieves is in line with the crimes committed IMO.

I'm personally not against these guys getting harsh sentences. I really dislike identity theft. But it would be very nice to see all financial crime punished as harshly. Steal $50 million, get 90 years in jail. Steal $50 billion, get a bail-out. That's not cool and needs immediate fixing.

Also, I keep wondering when we'll hear about the fate of an identity thief who stole money from someone in organized crime. If you steal from enough random people eventually you may steal from a psychopath who will want to make an example of you.

I'm not against harsh sentences either. I just don't think they should be life sentences. I think 10 years would be appropriate.

A life sentences means it makes sense for them to commit murder, kill jail guards, kill cops, etc because they have nothing more to lose.

That's $1.20/year. The census bureau says there were 114.8 million households in the United States in 2010. Estimates are that up to 1/3 of households do not have bank accounts. So, about 76.4 million do. Times $1.20/year is $91.7 million/year. Forever. And just the United States. And that's not profit; it's a drag on the economy.

A life sentence is too good for them. (Although I can't think of anything worse that I'd really recommend.)

That's $1.20/year. The census bureau says there were 114.8 million households in the United States in 2010. Estimates are that up to 1/3 of households do not have bank accounts. So, about 76.4 million do. Times $1.20/year is $91.7 million/year. Forever. And just the United States. And that's not profit; it's a drag on the economy.

A life sentence is too good for them. (Although I can't think of anything worse that I'd really recommend.)

I heard about a guy in my country who got less than 5 years for sexually assaulting a toddler, and these guys get life for stealing an insignificant amount of money. It's not right. $50M is nothing to a bank, or the economy.

Story aside, I have a Makarov and a CZ-52. It's interesting to watch the damage both will do to computers. The Makarov, although much more accurate, and even with hotter ammo, won't go through hardware. The CZ on the other hand, through it and well into the backstop/tree behind it.

I wish I could find reliable ammo for the CZ, I'd be my daily carry instead of the Makarov.

I heard about a guy in my country who got less than 5 years for sexually assaulting a toddler, and these guys get life for stealing an insignificant amount of money. It's not right. $50M is nothing to a bank, or the economy.

Although we disagree on what's "right," consider that none of the criminals has been sentenced yet. Prosecutors always put maximum sentences in their press releases. People were writing about a 35 year sentence for Aaron Swartz, but the reality was that he was facing six months and would probably have been out in three.

The fact that you "heard about" someone in your country who received what, without knowing all the facts, seems to be a light sentence, has no bearing on the case at hand.

And if you think $50 million is nothing, well, I'm waiting for my check!

Some guy steals $50 million.The banks reimburse the customers who lost money. The banks then recover their money by raising fees.The guy gets arrested and his earnings are "forfeited"....It is a non-violent crime and of course it shouldn't be comparable to rape/murder.

Non-violent? If I steal all your money & you take a turn for the dark side like AS unfortunately did (under other circumstances, but still we have all read of people throwing themselves off buildings in dire finacial circumstances), is it still non-violent?

Recovering the money is rare. First off the perps have been living off it & secondly catching the scum is not as common an occurrence as we could hope for. Putting teeth into the sentences of the thieves is in line with the crimes committed IMO.

I'm personally not against these guys getting harsh sentences. I really dislike identity theft. But it would be very nice to see all financial crime punished as harshly. Steal $50 million, get 90 years in jail. Steal $50 billion, get a bail-out. That's not cool and needs immediate fixing.

Also, I keep wondering when we'll hear about the fate of an identity thief who stole money from someone in organized crime. If you steal from enough random people eventually you may steal from a psychopath who will want to make an example of you.

I'm not against harsh sentences either. I just don't think they should be life sentences. I think 10 years would be appropriate.

A life sentences means it makes sense for them to commit murder, kill jail guards, kill cops, etc because they have nothing more to lose.

I agree sentences should be less than for violent/real world crimes, but something esle to bear in mind - this isn't a sentence for a single crime. Effectively this is for many hundreds (if not thousands) of individual thefts (the end result, stealing the money from all those individuals) + computer fraud/ID theft/whatever else is involved. If I burgled a house (damaging nothing and not hurting or threatening anyone) and stole $8K, I'd certainly expect less of a sentence, but if I'd burgled a hundred homes?

That's $1.20/year. The census bureau says there were 114.8 million households in the United States in 2010. Estimates are that up to 1/3 of households do not have bank accounts. So, about 76.4 million do. Times $1.20/year is $91.7 million/year. Forever. And just the United States. And that's not profit; it's a drag on the economy.

A life sentence is too good for them. (Although I can't think of anything worse that I'd really recommend.)

That's $1.20/year. The census bureau says there were 114.8 million households in the United States in 2010. Estimates are that up to 1/3 of households do not have bank accounts. So, about 76.4 million do. Times $1.20/year is $91.7 million/year. Forever. And just the United States. And that's not profit; it's a drag on the economy.

A life sentence is too good for them. (Although I can't think of anything worse that I'd really recommend.)

My understanding of "forfeited" is the government keeps the money.

And how much does it cost to keep them in prison for life?

Assuming they get extradited to the US, according to Wikipedia the average cost per prisoner per year in 2005 was $23,876

We'll assume due to inflation it's gone up a bit to $25,000 and that they will live another 50 years (they're all in their 20s now), then the cost (in today's money) to keep the three of them in prison for life is $3.75 million

BTW that web injection should be obvious, especially when a site you've been going to on a regular basis starts asking a lot of questions, some they already should have the answer to.

Exactly!

Often, I start these stories expecting to see a completely seamless type of intrusion that would be invisible to even the most savvy of users. But anyone who sees a form like this for an account they have had for a time should immediately be concerned--it looks like dead giveaway that something is horribly amiss...

That's $1.20/year. The census bureau says there were 114.8 million households in the United States in 2010. Estimates are that up to 1/3 of households do not have bank accounts. So, about 76.4 million do. Times $1.20/year is $91.7 million/year. Forever. And just the United States. And that's not profit; it's a drag on the economy.

A life sentence is too good for them. (Although I can't think of anything worse that I'd really recommend.)

I heard about a guy in my country who got less than 5 years for sexually assaulting a toddler, and these guys get life for stealing an insignificant amount of money. It's not right. $50M is nothing to a bank, or the economy.

Talk to the people whose "insignificant" life savings have been taken away. Although I agree that 5 years for the child rapist is way inadequate.

They are facing a MAXIMUM meaning upto. Meaning that is as high as the sentence can possibly go. The Aaron Swartz case was not rare or an exception, the prosecution always says the maximum in their press releases. They are assuming the general public has the ability to read, and some idea of how the legal system works. These people committed a ton of crimes and either stole a lot of money or were an accomplice to the crimes. They are going to prison for a long time, though probably not the max.

Story aside, I have a Makarov and a CZ-52. It's interesting to watch the damage both will do to computers.

Instead of destroying computer hardware with your manly penis-enhancing firearms, why not donate said hardware to a charity instead where it can actually do some good. I know some people think it's fun wrecking stuff for no reason, but electronics require lots of energy and valuable resources to manufacture, there are better ways to handle this than wanton destruction. Plus, wrecking computers with guns creates shrapnel that really shouldn't get sprinkled all over the immediate landscape.

If these guys risk up to 90 years in jail for $50 million (even after they agreed to forfeit the earnings), then I guess those responsible for the financial crisis should be publicly executed in the Times Square. It's funny how the US Justice System works, but then again they wanted to put Aaron Swartz behind bars for up to 35 years for breaking the ToS of a web-service, so this nothing about this surprises me anymore.

Criminals are criminals, not out of accident, but because they think they are too smart to be caught. Giving harsh sentences only works to a certain extend. Beyond that it is a question of protecting society of repeated acts by the same person (rape/murder/...).

Proof in point, has the US war on drugs, leading to the largest prison population (per capita) of any comparable democracy, solved the problem (of too many drug users)? In contrast treating the aids threat as a health problem that it is, with information and treatment options, has resulted in quite some successes.

I get that these guys need to spend some time in jail, but 90 years, 65 years, 50 years? That seems really really excessive. Although maybe it's another case where the prosecution purposely tries to get a sentence that doesn't fit the crime so that they can make some kind of trade-in profit?

How much would they have gotten for writing bad cheques? Why are the penalties for electronic theft so much higher than comparable white collar physical-world crimes?

If these guys had been born in a Western country they probably would have ended up running start ups in California.

The system is broken.

Glitch, The system is broken I agree

But I agree because these guys will probably only end up with a slap on the wrist for conspiring to steal thousand or even millions of peoples money. Is stealling a dollar from a million people worse than stealling a million dollars from one. I think it is far worse in terms of the proverbial pain and suffering. My sentencing recommendation would be one year for each offence regardless of the financial value and it should be served consecuively. Good behavior should only be taken into consideration for the last 1 year sentence.

People like these destroy lives, For that alone they deserve no sympathy, no deals for putting there hands up. Its about time a few Maximums were handed out by these liberal zealots we call Judges.

Perhaps then when folks realise the seriousness of the penalties and that Police worldwide will do whats needed to get them they will think twice. And if a Nations police wont Play then they also lose there server based connections to the outside world. Its about time the innocent were protected and the guilty were punished.